CERT Warns of SNMP Vulnerability

CERT/CC recommends ingress filtering to prevent outside machines from logging into corporate servers, and also filtering ports 161/udp and 162/udp.

by Jim Wagner of internetnews.com [February 13, 2002]

Simple network management protocol (SNMP) [definition], the protocol used to remotely administer routers, switches and network management systems is at risk from a new vulnerability discovered by the Oulu University Secure Programming Group (OUSPG) in Finland recently.

The breach is such that it can also let hackers create a "back door" to devices using SNMP, giving hackers the leisure of breaking into the network and returning at a more leisurely pace later.

CERT/CC recommends the temporary stopgap of ingress filtering to prevent outside machines from logging into corporate servers. The organization recommends filtering ports 161/udp and 162/udp.

If the two measures above aren't feasible, CERT/CC also suggests restricting SNMP traffic to virtual private networks (VPNs) or to separate, isolated management networks not available to the public.

SNMP 1 has been around since the early 1980s and several efforts have been made to update the standard to SNMP 2, with no success. Some networks have switched their remote administration protocol to remote monitoring (RMON), which tells technicians more than whether the equipment is functioning or not, but most still use SNMP 1.

The problem is especially vexing because it can't be pinned down to one specific vendor, as is often the case with security vulnerabilities, but must be corrected by many vendors.

A Web page with security patches, by vendor, is available here. Many listed in the previous paragraph already have patches available or have release dates scheduled.

The organization reported increased information about the SNMP vulnerability making its way through the hacker community, so it's likely only a matter of time before the enterprising (or bored) cracker creates an exploit.

— End